Candidate: CVE-2021-3559
PublicDate: 2021-05-24 12:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3559
 https://bugzilla.redhat.com/show_bug.cgi?id=1962306
Description:
 A flaw was found in libvirt in the virConnectListAllNodeDevices API in
 versions before 7.0.0. It only affects hosts with a PCI device and driver
 that supports mediated devices (e.g., GRID driver). This flaw could be used
 by an unprivileged client with a read-only connection to crash the libvirt
 daemon by executing the 'nodedev-list' virsh command. The highest threat
 from this vulnerability is to system availability.
Ubuntu-Description:
Notes:
 mdeslaur> introduced in 6.10.0-rc1, fixed in 7.0.0-rc1
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H [6.5 MEDIUM]


Patches_libvirt:
upstream_libvirt: not-affected (debian: Vulnerable code never in a released version)
trusty_libvirt: ignored (out of standard support)
trusty/esm_libvirt: not-affected
xenial_libvirt: ignored (out of standard support)
esm-infra/xenial_libvirt: not-affected
bionic_libvirt: not-affected (4.0.0-1ubuntu8.19)
focal_libvirt: not-affected (6.0.0-0ubuntu8.9)
groovy_libvirt: not-affected (6.6.0-1ubuntu3.5)
hirsute_libvirt: not-affected (7.0.0-2ubuntu2)
impish_libvirt: not-affected (7.0.0-2ubuntu2)
jammy_libvirt: not-affected (7.0.0-2ubuntu2)
devel_libvirt: not-affected (7.0.0-2ubuntu2)